package io.gravitee.am.gateway.handler.common.vertx.web.handler.impl;

import io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest;
import io.gravitee.am.gateway.handler.common.vertx.web.handler.ErrorParamsUpdater;
import io.gravitee.am.service.utils.vertx.RequestUtils;
import io.vertx.core.Vertx;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.auth.VertxContextPRNG;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.Session;
import io.vertx.ext.web.handler.CSRFHandler;
import io.vertx.rxjava3.core.MultiMap;
import io.vertx.rxjava3.core.http.HttpServerRequest;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.HashMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/handler/impl/CSRFHandlerImpl.class */
public class CSRFHandlerImpl implements CSRFHandler {
    private static final Logger log = LoggerFactory.getLogger(io.vertx.ext.web.handler.impl.CSRFHandlerImpl.class);
    private static final Base64.Encoder BASE64 = Base64.getMimeEncoder();
    private final VertxContextPRNG RAND;
    private final Mac mac;
    private boolean nagHttps;
    private String cookieName = "XSRF-TOKEN";
    private String cookiePath = "/";
    private String headerName = "X-XSRF-TOKEN";
    private long timeout;
    private String origin;
    private boolean httpOnly;
    private boolean cookieSecure;

    public CSRFHandlerImpl(Vertx vertx, String str, long j) {
        this.RAND = VertxContextPRNG.current(vertx);
        this.timeout = j;
        try {
            this.mac = Mac.getInstance("HmacSHA256");
            this.mac.init(new SecretKeySpec(str.getBytes(), "HmacSHA256"));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public CSRFHandler setOrigin(String str) {
        this.origin = str;
        return this;
    }

    public CSRFHandler setCookieName(String str) {
        this.cookieName = str;
        return this;
    }

    public CSRFHandler setCookiePath(String str) {
        this.cookiePath = str;
        return this;
    }

    public CSRFHandler setCookieHttpOnly(boolean z) {
        this.httpOnly = z;
        return this;
    }

    public CSRFHandler setCookieSecure(boolean z) {
        this.cookieSecure = z;
        return this;
    }

    public CSRFHandler setHeaderName(String str) {
        this.headerName = str;
        return this;
    }

    public CSRFHandler setTimeout(long j) {
        this.timeout = j;
        return this;
    }

    public CSRFHandler setNagHttps(boolean z) {
        this.nagHttps = z;
        return this;
    }

    private String generateToken() {
        byte[] doFinal;
        byte[] bArr = new byte[32];
        this.RAND.nextBytes(bArr);
        String str = BASE64.encodeToString(bArr) + "." + System.currentTimeMillis();
        byte[] bytes = str.getBytes(StandardCharsets.US_ASCII);
        synchronized (this.mac) {
            doFinal = this.mac.doFinal(bytes);
        }
        return str + "." + BASE64.encodeToString(doFinal);
    }

    private boolean validateToken(String str, Cookie cookie) {
        byte[] doFinal;
        if (str == null || cookie == null || !str.equals(cookie.getValue())) {
            return false;
        }
        String[] split = str.split("\\.");
        if (split.length != 3) {
            return false;
        }
        byte[] bytes = (split[0] + "." + split[1]).getBytes(StandardCharsets.US_ASCII);
        synchronized (this.mac) {
            doFinal = this.mac.doFinal(bytes);
        }
        if (!BASE64.encodeToString(doFinal).equals(split[2])) {
            return false;
        }
        try {
            return System.currentTimeMillis() <= Long.parseLong(split[1]) + this.timeout;
        } catch (NumberFormatException e) {
            return false;
        }
    }

    protected void redirect(RoutingContext routingContext) {
        HttpServerRequest httpServerRequest = new HttpServerRequest(routingContext.request());
        MultiMap cleanedQueryParams = RequestUtils.getCleanedQueryParams(httpServerRequest);
        String addErrorParams = ErrorParamsUpdater.addErrorParams(cleanedQueryParams, "session_expired", "Your session expired, please try again.");
        if (routingContext.session() != null) {
            routingContext.session().put("errorHash", addErrorParams);
        }
        routingContext.response().putHeader(HttpHeaders.LOCATION, UriBuilderRequest.resolveProxyRequest(httpServerRequest, routingContext.request().path(), cleanedQueryParams, true)).setStatusCode(302).end();
    }

    public void handle(RoutingContext routingContext) {
        String generateAndStoreToken;
        String absoluteURI;
        if (this.nagHttps && (absoluteURI = routingContext.request().absoluteURI()) != null && !absoluteURI.startsWith("https:")) {
            log.warn("Using session cookies without https could make you susceptible to session hijacking: " + absoluteURI);
        }
        String name = routingContext.request().method().name();
        boolean z = -1;
        switch (name.hashCode()) {
            case 70454:
                if (name.equals("GET")) {
                    z = false;
                    break;
                }
                break;
            case 79599:
                if (name.equals("PUT")) {
                    z = 2;
                    break;
                }
                break;
            case 2461856:
                if (name.equals("POST")) {
                    z = true;
                    break;
                }
                break;
            case 75900968:
                if (name.equals("PATCH")) {
                    z = 4;
                    break;
                }
                break;
            case 2012838315:
                if (name.equals("DELETE")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                Session session = routingContext.session();
                if (session == null) {
                    generateAndStoreToken = generateToken();
                } else {
                    String str = (String) session.get(this.headerName);
                    if (str == null) {
                        generateAndStoreToken = generateAndStoreToken(routingContext);
                    } else {
                        int indexOf = str.indexOf(47);
                        if (indexOf == -1) {
                            generateAndStoreToken = generateAndStoreToken(routingContext);
                        } else if (str.substring(0, indexOf).equals(session.id())) {
                            String substring = str.substring(indexOf + 1);
                            generateAndStoreToken = !validateToken(substring, routingContext.request().getCookie(this.cookieName)) ? generateAndStoreToken(routingContext) : substring;
                        } else {
                            generateAndStoreToken = generateAndStoreToken(routingContext);
                        }
                    }
                }
                routingContext.response().addCookie(Cookie.cookie(this.cookieName, generateAndStoreToken).setPath(this.cookiePath));
                routingContext.put(this.headerName, generateAndStoreToken);
                enhanceContext(routingContext);
                routingContext.next();
                return;
            case true:
            case true:
            case true:
            case true:
                String header = routingContext.request().getHeader(this.headerName);
                if (validateToken(header == null ? routingContext.request().getFormAttribute(this.headerName) : header, routingContext.request().getCookie(this.cookieName))) {
                    routingContext.next();
                    return;
                } else {
                    redirect(routingContext);
                    return;
                }
            default:
                routingContext.next();
                return;
        }
    }

    private String generateAndStoreToken(RoutingContext routingContext) {
        String generateToken = generateToken();
        Session session = routingContext.session();
        session.put(this.headerName, session.id() + "/" + generateToken);
        return generateToken;
    }

    private void enhanceContext(RoutingContext routingContext) {
        HashMap hashMap = new HashMap();
        hashMap.put("parameterName", "X-XSRF-TOKEN");
        hashMap.put("token", (String) routingContext.get("X-XSRF-TOKEN"));
        routingContext.put("_csrf", hashMap);
    }
}
